[Samba] FreeRADIUS & SAMBA when Active Directory domain is not a FQDN

Steve Bluck sbluck at hotmail.com
Wed Nov 13 22:21:40 UTC 2019 

FreeRAIDUS is checking for a username in the format of [user]@[internet domain] for Eduroam (World wide WiFi network, mostly used by Education), if it is not a locally defined Internet domain it then refers the RADIUS request to a higher level RADIUS server. However if it's our defined domain e.g. EXAMPLE.COM it will check with our AD server.
Normally the sAMAccountName & AD domain pair is the same as the UPN, which is a user @ Internet Domain (some sites reference this as the email address but this is not technically correct).
The problem we have is our AD domain was set up years ago and followed then best practise of not using a public domain internally, so the domain name is EXAMPLE.CAMPUS while the UPN domain is EXAMPLE.COM (UPN has been set this way for Office 365 & Skype for Business to work).
Samba / ntml_auth queries AD based on the sAMAccountName & AD domain pair but what FreeRADIUS is receiving is the UPN.
E.g. querying AD with a user & local domain pair works TEST-USER at EXAMPLE.CAMPUS:
# ntlm_auth --request-nt-key --domain=EXAMPLE.CAMPUS --username=TEST-USER --password=******
NT_STATUS_OK: The operation completed successfully. (0x0)
Querying AD with AD Realm (NETBIOS) works e.g. TEST-USER at EXAMPLE:
# ntlm_auth --request-nt-key --domain=EXAMPLE --username=TEST-USER --password=******
NT_STATUS_OK: The operation completed successfully. (0x0)
But querying based on UPN fails e.g. TEST-USER at EXAMPLE.COM:
# ntlm_auth --request-nt-key --domain=EXAMPLE.COM --username=TEST-USER --password=******
NT_STATUS_NO_SUCH_USER: The specified account does not exist. (0xc0000064)
I'm still getting my head around it myself so may have used terms in the wrong context e.g. REALM

TLDR; SAMBA is querying AD based on sAMAccountName but is receiving UPN from user so can't find the user.

Cheers
Steve

________________________________
From: Andrew Bartlett <abartlet at samba.org>
Sent: Thursday, 14 November 2019 10:41 AM
To: Steve Bluck <sbluck at hotmail.com>; samba at lists.samba.org <samba at lists.samba.org>
Subject: Re: [Samba] FreeRADIUS & SAMBA when Active Directory domain is not a FQDN

Can you clarify again what the UPN is vs what the users enter via
FreeRADIUS as their 'username'?

I'm a bit lost.

Andrew Bartlett

More information about the samba mailing list